Generally Accepted Privacy Principles

Browse

Generally Accepted Privacy Principles

The AICPA and the Canadian Institute of Chartered Accountants (CICA) have formed the AICPA/CICA Privacy Task Force, which has developed the Generally Accepted Privacy Principles (GAPP). This document supersedes the AICPA and CICA Privacy Framework. Using GAPP, CPAs can help organizations design and implement sound privacy practices and policies. These principles and criteria were developed and updated by volunteers who considered both current international privacy regulatory requirements and best practices. These principles and criteria were issued following the due process procedures of both institutes, which included exposure for public comment. The adoption of these principles and criteria is voluntary.

Generally Accepted Privacy Principles and Criteria

GAPP is designed to assist management in creating an effective privacy program that addresses their privacy obligations, risks, and business opportunities.

The privacy principles and criteria are founded on key concepts from significant local, national, and international privacy laws, regulations, guidelines, and good business practices. By using GAPP, organizations can proactively address the significant challenges that they face in establishing and managing their privacy programs and risks from a business perspective. GAPP also facilitates the management of privacy risk on a multi-jurisdictional basis.
Download the Executive Overview of GAPP to start using GAPP.

GAPP provides criteria and related material for protecting the privacy of personal information and can be used by certified public accountants (CPAs) in the United States and chartered accountants (CAs) in Canada, both in industry and in public practice, to guide and assist the organizations they serve in implementing privacy programs. GAPP has been developed from a business perspective, referencing some, but by no means all, significant local, national, and international privacy regulations. GAPP is the intellectual capital and body of knowledge that provides the foundation for CPA and CA-related privacy advisory and assurance services.

CPAs and CAs in public practice will be able to offer clients a full range of services, including privacy strategic and business planning, privacy gap and risk analysis, benchmarking, privacy policy design and implementation, performance measurement, and independent verification of privacy controls, which includes attestation engagements. CPAs and CAs in industry can enhance their value to their employers by offering privacy advisory services and performing internal assessments against something they can measure—generally accepted privacy principles.

The CPA and CA practitioner version is identical to GAPP with the exception of appendix B, "CPA and CA Practitioner Services Using Generally Accepted Privacy Principles," and appendix C, "Illustrative Privacy Examination and Audit Reports." These additional appendixes are intended primarily to assist CPAs and CAs in public practice in providing privacy services to their clients.